You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We're excited to introduce the new Microsoft Defender for Cloud app for Sumo Logic. This app helps you to collect the alerts, security recommendation, and regulatory compliance logs using the Sumo Logic Cloud-to-Cloud Azure Event Hub Source and by configuring the continuos export using the Event Hub instance details in the Azure portal. Key features of the Microsoft Defender for Cloud app include:
15
+
16
+
- Gain real-time visibility into security alerts across your Azure environment, categorized by severity (High, Medium, Low, and Informational).
17
+
- Monitor trends in alert activity over time to identify spikes and recurring threats.
18
+
- Leverage detailed alert summaries and remediation steps for effective threat mitigation.
19
+
- Track compliance performance across critical standards, including FedRAMP, PCI DSS 4, CIS Azure Foundations, and Microsoft Cloud Security Benchmark.
20
+
- Analyze threats by categories like data exfiltration, unauthorized access, and account breaches.
21
+
22
+
Explore our technical documentation [here](/docs/integrations/microsoft-azure/microsoft-defender-for-cloud/) to learn how to set up and use the Microsoft Defender for Cloud app for Sumo Logic.
To forward Microsoft Defender events to Sumo Logic, you can set up an efficient pipeline: **Microsoft Defender** > **Event Hub** > **Sumo Logic (Hosted Collector)**. This setup ensures that security events from Microsoft Defender are seamlessly ingested into Sumo Logic for monitoring and analysis.
42
+
43
+
1.**[Create a Sumo Logic Azure Event Hub Source](/docs/send-data/collect-from-other-data-sources/azure-monitoring/ms-azure-event-hubs-source/)**. Configure an Event Hub source to receive events from the Azure platform. This will act as the endpoint for the data pipeline.
44
+
1.**[Set up continuous export in Azure](https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export)**. Within the Azure portal, configure the Microsoft Defender for Cloud to export its security events to the Event Hub instance created in the previous step. Continuous export ensures that the events such as alerts, recommendations, and regulatory compliance updates are forwarded in near real-time as shown below.
## Installing the Microsoft Defender for Cloud app
307
312
308
313
import AppInstall from '../../reuse/apps/app-install.md';
@@ -357,6 +362,30 @@ import CreateMonitors from '../../reuse/apps/create-monitors.md';
357
362
|`Critical Alert`| This is a high-priority alert that is triggered when a serious issue or threat is detected within your Azure environment. These alerts often correspond to malicious activities, severe configuration vulnerabilities, or critical system failures requiring immediate attention. | Critical | Count > 0|
358
363
|`Critical Security Recommendation`| This alert is triggered when a high-risk vulnerability or misconfiguration is detected in your Azure resources. It provides actionable insights for strengthening your cloud security posture. | Critical | Count > 0 |
359
364
365
+
## Troubleshooting
366
+
367
+
### Verify Event Hub data flow
368
+
369
+
If your configured Event Hub instance is not successfully sending data to Sumo Logic. Follow the below steps to troubleshoot the issue:
370
+
371
+
1. Navigate to the **Event Hub Instance Blade** in the Azure portal and select the **Data Explorer(preview)** tab to send sample events..<br/> <img src={useBaseUrl('img/integrations/microsoft-azure/event-hub-instance-blade.png')} style={{border:'1px solid gray'}} alt="event-hub-instance-blade" width="800"/>
372
+
1. In the **Data Explorer(preview)** page, click **Send event** and preview the sample events.<br/> <img src={useBaseUrl('img/integrations/microsoft-azure/data-explorer.png')} style={{border:'1px solid gray'}} alt="data-explorer" width="800"/>
373
+
1. Verify if those events are being sent to the [Sumo Logic by Live Tailing](/docs/search/live-tail/about-live-tail/). If both the data matches, then event hub instance will be successfully sending data to Sumo Logic. <br/> <img src={useBaseUrl('img/integrations/microsoft-azure/live-tailing.png')} style={{border:'1px solid gray'}} alt="live-tailing" width="800"/>
374
+
375
+
### Validate alerts at Event Hub
376
+
377
+
If you are not recieving any alerts from the Microsoft Defender to the Event Hub instance. Firstly, make sure that the generated sample alerts are received in your configured Event Hub instance. This ensures the connection between Defender and Event Hub is functioning correctly. To test the pipeline by sending sample alerts from Microsoft Defender by following the below steps:
378
+
379
+
1. In the **Microsoft Defender** console, select **Security Alerts** under **General** section.
380
+
1. In the **Security Alerts** page, select the **Sample Alerts** tab.
381
+
1. Click on **Create sample alerts** to receieve the sample alerts. Thereby, to validate that the sample alerts are forwarded to the configured Event Hub instance.
There may be a delay in forwarding alerts from Microsoft Defender to the Event Hub instance. If you experience significant delays, reach out to Azure Support for assistance.
387
+
:::
388
+
360
389
## Upgrade/Downgrade the Microsoft Defender for Cloud app (Optional)
361
390
362
391
import AppUpdate from '../../reuse/apps/app-update.md';
0 commit comments